Why a Smartphone 'Kill Switch' Won't Stop Phone Theft

The idea of a smartphone "kill switch" sounds promising and is a step in the right direction in the fight against phone thieves, but it's not a solution to the problem, according to CIO.com's Al Sacco.

Yesterday, wireless industry group CTIA announced a partnership between many of the major smartphone makers and all of the leading U.S. wireless carriers that's designed to enable smartphone "kill-switch" functionality on handsets sold in the United States after July 2015.

The partnership, called the "Smartphone Anti-Theft Voluntary Commitment," comes after months of mounting pressure from consumer advocates and politicians on device manufacturers and carriers to implement a kill switch system that could make lost or stolen devices useless, therefore dissuading would-be thieves.

Voluntary Kill Switch Takes Remote Security a Step Further

Many leading smartphone manufacturers, and some carriers, already offer "find-my-phone" features that let users remotely lock and locate their devices. But the majority of these solutions simply reset smartphones to factory settings after a certain number of failed password attempts, which makes them prime goods on the black market.

The CTIA partnership includes a provision that blocks factory resets and makes stolen devices useless after a certain number of failed password attempts, which drastically reduces the street value of devices that have the kill-switch functionality enabled.

If you read the CTIA announcement, you might notice that the word "voluntary" shows up quite often. Indeed, the word is in the official name of the partnership. That use of "voluntary" refers to the fact that device makers and carriers are agreeing to implement a kill-switch system before legislators force it on them.

The more important application of the word applies to smartphone users, because this kill switch is also voluntary for them. In other words, it will be up to consumers to enable the functionality, just like passwords today. Like passwords, consumers will presumably need some sort of passcode to remotely access the kill-switch feature.

The fact is that many smartphone users simply can't be bothered with passwords and don't consider security until it's too late.

Kill Switch Success Depends on the Users

Last month, Jerry Irvine, CIO of Prescient Solutions, an IT outsourcing services firm, stressed this fact to me in a conversation. It's not only true of consumers, but also corporate executives, who should presumably be more security conscious.

"I was recently in a meeting with about 25 CFOs of multimillion dollar accounts," Irvine said. "I asked how many of them had PINs on their phones, and less than a half a dozen said they did."

I suspect it will be a similar situation with the kill-switch option. You'll presumably only have to opt-in to the service once when you set up a new device. That's obviously much less intrusive than entering in a password every time you want to use your phone. But smartphone owners will still need to opt-in and remember their kill-switch passwords.

Then there are the privacy implications. Some people simply won't opt in to a program that gives device makers or carriers remote control over their devices, for fear that wireless carriers, government agencies or hackers could misuse the permissions.

At the very least, the kill switch should deter thieves, and that's a step in the right direction. But it will not solve the problem of smartphone theft.

Consider that the people stealing phones probably aren't the most reasonable folks in the world. A "steal first, consider kill switch later" approach seems likely -- even if it means ditching every other stolen device because it can't be unlocked. If half of all U.S. smartphone users opt-in to the kill-switch program, one in two stolen smartphones could still be sold on the black market. If you're a thief, those aren't bad odds.

I give the device makers and carriers credit for "voluntarily" implementing a kill switch...even they're only doing it because mandatory legislation seems imminent. I don't believe the kill-switch option should be forced on users, just as I don't believe passwords should be mandatory all on smartphones. As is the case with all information security measures, the responsibility ultimately falls on the user.